Additional Topics

This chapter provides additional information useful for understanding and administering the DirX Identity system.

If some steps fail during configuration:

  • Check the log file to identify which parts did not run.

  • Correct the error and restart the Configuration Wizard.

  • You may select only those steps that did not finish successfully.

Disk Space Calculation

To calculate the required disk space for a DirX Identity installation, consider the following:

  1. Space for DirX Identity (see Disk Space Requirements).

  2. Additional space for auditing.

  3. Space for work and status areas where DirX Identity stores temporary and permanent files.

The next sections discuss disk space requirements for auditing and for work/status areas.

Space for Auditing

The required space for auditing depends on:

  • Regularly remove auditing information from this area. Either import it into a database or store it on backup devices.

  • Audit only the absolutely necessary objects in your Identity Store.

  • Configure only the necessary attributes for these objects.

  • Check whether signed audit records are really needed. If the audit area is secure, this may not be necessary. Signed records require about double the space and slow down real-time workflows considerably.

Recommendation: Reserve enough space for auditing and write audit information to a separate disk to avoid impacting server operations.

Space for Work and Status Areas

This can only be estimated and depends on:

  • Files configured to be stored in the status area (by default, all files are stored).

  • Amount of data (number and size of entries) to be synchronized.

  • Frequency of scheduled workflows, configured status expiration time, and status compression mode.

Because status information can easily fill your disk, note:

  • DirX Identity ignores a full disk in the status area but cannot handle a full disk in the work area.

Guidelines:

  • Keep work and status areas on different disks.

  • Mark only important files for automatic storage in the status area (e.g., trace and report files, not large data files).

  • Set individual status expiration times for each workflow:

    • Example:**

      • 1 month for weekly workflows

      • 1 week for daily workflows

      • 1 day for workflows running every 10 minutes

  • Set individual status expiration times for all Java-based Identity Servers.

These steps help make your system more reliable and resource-efficient.

Schema and Content Handling

During configuration, DirX Identity prepares the LDAP directory according to its requirements:

  • Extends the LDAP directory schema for the Connectivity Configuration tree.

  • Imports basic content into that tree, including DirX Identity Default Applications.

To run workflows, specific object classes and attributes for each agent type are required. Extend the schema for joined data in the Identity Store with agent-specific schema parts.

Setup of the Schema for Connectivity Configuration

DirX Identity extends the schema of the defined LDAP directory with object and attribute definitions needed for correct operation.

Basic Content Extension

DirX Identity writes all preconfigured objects (workflow, activity, job, connected directory definitions, etc.) from LDIF files to the LDAP directory. Based on this, administrators can configure their own objects and synchronizations.

Target System Specific Schema Extensions

Setting up the Identity Store schema for target systems should be carefully planned. Only set up required object classes and attributes for high performance and easy handling.

  • DirX Identity automatically extends the schema if you select the Sample Domain.

  • A minimal set of attributes and object classes is defined for all target systems requiring LDAP schema extensions.

  • Not all target systems require schema changes.

  • Using additional attributes in the Sample Domain requires manual schema extension.

For customer domain schema extension, DirX Identity provides complete sets of attribute and object class extensions for each supported target system type.

Backup your directory before running any scripts! Schema extensions cannot be reversed.

Steps:

  1. Open the directory DXI_INSTALL_PATH/schema/tools.

  2. Open the subdirectory for your directory type: dirx-ee for DirX Directory installation.

  3. Copy the entire Customer Domain subdirectory and name it Customer Domain.orig.

  4. Update schema definitions in the Customer Domain subdirectory as required. Additional steps for directory type dirx-ee (DirX V8.3 or higher):

    • Select the LDIF file of your DirX Identity Connectivity package in the ldif subdirectory (e.g., dirx.nt.ldif).

    • Remove unwanted attributes by deleting "MODIFY" records referring to attributeTypes.

    • Remove attributes from object class definitions by deleting LDAP attribute names from "MODIFY" records referring to objectClasses.

    • If indexes were defined for attributes, remove them from dbconfig_opt statements in the dirxadm script of your Connectivity package (e.g., DirXmetahub-schema.Nt.adm for NT).

  1. Run the script agent-schema.bat (Windows) or agent-schema.sh (Linux) under schema/tools.

    • Enter the DirX Identity administrator password (admin).

    • Select the DirX Identity Connectivity package to install this part of the schema extension (each package must be selected separately* Select the DirX Identity Connectivity package to install this part of the schema extension (each package must be selected separately).

    • Choose whether to create attribute indexes.

  2. Check the trace.txt file at the end for errors (the exit codes at the end should be 0).

Indexed Attributes

DirX Identity requires a set of indexes. The minimum number of indexes is 84, the maximum number of indexes is 137 (all target system schema extensions performed).

This information is especially important to set up DirX correctly.

DirX Identity Connectivity Configuration (17 attribute indexes)

dxmActive
dxmActivityStatusData-DN
dxmC
dxmDisplayName
dxmEndTime
dxmExitCode
dxmExpirationTime
dxmName
dxmOkStatus
dxmOrigWorkflow-DN
dxmResult
dxmScheduleName
dxmStartTime
dxmStatusExpirationTime
dxmType
dxmWarningStatus
dxmWorkflowInstID

DirX Identity Provisioning Configuration Extensions (67 attribute indexes)

dxmOprEventDivision
dxmOprMaster
dxmOprOriginator
dxmOprTriggerOrigin
dxmPwdLastChange
dxrAccessRightLink
dxrApproverLink
dxrApproverPotentialLink
dxrAssignedAccounts
dxrAssignedGroups
dxrAssignFrom
dxrAssignTo
dxrAssignmentLink
dxrCurrentParticipants
dxrDeleteDate
dxrDisableStartDate
dxrDisableEndDate
dxrEndDate
dxrErrorExpDate
dxrError
dxrExpirationDate
dxrGroupLink
dxrGroupMemberAdd
dxrGroupMemberDelete
dxrGroupMemberIgnore
dxrGroupMemberImported
dxrGroupMemberOK
dxrInheritedPrivilegeLink
dxrInheritedUserFacetPrivilegeLink
dxrIsActive
dxrIsExtensionGroup
dxrIsInconsistent
dxrName
dxrNeedsApproval
dxrNextApprovalDate
dxrObjectComplete
dxrObjectType
dxrOperationImp
dxrPeerTS
dxrPermissionLink
dxrPrimaryKey
dxrPrivilegeLink
dxrPrivilegesGrantedLink
dxrPwdChangedTime
dxrPwdChangeState
dxrReference
dxrResourceGroupLink
dxrResourceLink
dxrRoleID
dxrRoleLink
dxrRPvalues
dxrStartDate
dxrState
dxrSubjectLink
dxrSubjectGroupLink
dxrTBA
dxrToDo
dxrToPeer
dxrTSState
dxrTSStateExtended
dxrType
dxrUID
dxrUsedBy
dxrUserAssignementPossible
dxrUserLink
employeeNumber
uniqueMember

DirX Identity Connectivity Package Schema Extensions (18 attribute indexes)

If you install the sample domain, you need 18 additional indexes.

A) ADS: (7)

dxmADsComputerName
dxmADsDNSdomainName
dxmADsDomain
dxmADsForest
dxmADsGuid
dxmADsSamAccountName

B) Exchange 5.5: (2)

dxmEXcn
dxmEXrfc822Mailbox

C) Notes: (4)

dxmLNfullName
dxmLNlistName
dxmLNnoteID
dxmLNshortName

D) ODBC: (4)

dxmODBCdatabaseName
dxmODBCdatabaseType
dxmODBCfirstName
dxmODBClastName

E) SAP/R3-UM: (1)

sapUsername

DirX Identity Agent Schema Extensions for a Customer Domain (52 attribute indexes max)

For each Connectivity Package schema extension, you need the corresponding number of indexes. This list shows the maximum number delivered with each default set. If you extended the schema with fewer attributes, the number of indexes is lower.

A) ADS: (6)

dxmADsComputerName
dxmADsDNSdomainName
dxmADsDomain
dxmADsForest
dxmADsGuid
dxmADsSamAccountName

B) Exchange: (8)

dxmEXcn
dxmEXdescription
dxmEXemployeeNumber
dxmEXgivenName
dxmEXname
dxmEXrdn
dxmEXrfc822Mailbox
dxmEXsn

C) HDMS: (11)

dxmHDbuilding
dxmHDchristianName
dxmHDcompany
dxmHDcountry
dxmHDdmsid
dxmHDlocation
dxmHDname
dxmHDorg1
dxmHDorg2
dxmHDorg3
dxmHDsortName

D) Notes: (10)

dxmLNcomment
dxmLNemployeeID
dxmLNfirstName
dxmLNfullName
dxmLNinternetAddress
dxmLNlastName
dxmLNlistDescription
dxmLNlistName
dxmLNnoteID
dxmLNshortName

E) ODBC: (4)

dxmODBCdatabaseName
dxmODBCdatabaseType
dxmODBCfirstName
dxmODBClastName

F) SAPR3/HR: (4)

dxmSAPR3HRcommonName
dxmSAPR3HRgivenName
dxmSAPR3HrpersonnelNumber
dxmSAPR3HRsurName

G) SAP/R3-UM: (1)

sapUsername